The Missing Link in Cloud Security
By Heidi Parthena White
Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security, cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions.
Service companies have the highest adoption of public cloud platforms, with engineering firms and the government having the highest adoption of private clouds. Surprisingly, this surge in cloud adoption is not met equally with security and trust, with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.
These statistics indicate that cloud security is lagging far behind cloud storage and adoption in a way that is similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load?
Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. At least 7.9 billion records of highly sensitive information have been compromised in 2019 alone. While that may be a lot of data lost in one year, the average cost of a data breach evens out to around $3.92m, while the cost of each individual record is $150 according to a study conducted by the Ponemon Institute. The increase in compromised records shows that one data breach affects far more records today than it did just five years ago, with more and more sensitive information being stored digitally.
Numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. The establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans — an end-of-life policy.
Cloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. While the concrete costs of the breach can be addressed, it’s not always as easy to mend the loyalty of the consumers affected.
The global customer sentiment survey surveyed 4500 adults in the US, UK, Germany, Japan and Australia to see how a data breach would impact their willingness to do business with them in the future: 65% of respondents would never do business with a company where financial information was stolen; 37% of respondents would never do business with a company where non-financial information was stolen; and only 50% percent of respondents feel companies are taking their protection and security seriously enough.
Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent National Security Agency (NSA) requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information (PII) from falling into the wrong hands at drive end-of-life. Blancco Technology Group conducted a study based on analysis of 200 hard drives purchased from second-hand sites such as eBay and Craigslist. In the first quarter of 2016, they found a total of 67% of devices had recoverable information, including PII such as names, addresses, and social security numbers.
In-house data destruction is the ideal way to securely manage drives at end-of-life. There are many data destruction devices available, from high security disintegrators to enterprise specific, portable, and NSA-listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fit their needs. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction. Security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal.